fix(nox): improve the PATH manipulation (#920)

akinomyoga · web-flow · commit 1d2aac1221a3 · 2023-04-08T20:15:07.000+09:00
When `type -p "$1"` fails or does not output anything because the file is hidden by an alias or a function, the current treatment results in `PATH=:$PATH`. The empty path in `PATH` results in possible executions of an executable file in the current directory, `./register-python-argcomplete` or `./register-python-argcomplete3`, which can be a vulnerability. An attacker might put arbitrary commands in the files named `register-python-argcomplete`. For the case that the command is hidden by an alias or by a shell function, we can use `type -P "$1"` instead of `type -p "$1"`. For the case, that the user attempts to run a completion for the command that is not installed in the system, we can test whether the resulting path is non-empty. #917 (comment)
diff --git a/completions/_nox b/completions/_nox
@@ -4,7 +4,8 @@
 # This serves as a fallback in case the completion is not installed otherwise.
 
 eval -- "$(
-    PATH=$(type -p "$1" 2>/dev/null | command sed 's,/[^/]*$,,')${PATH:+:$PATH}
+    bin_path=$(type -P "$1" 2>/dev/null | command sed 's,/[^/]*$,,')
+    [[ $bin_path ]] && PATH=$bin_path${PATH:+:$PATH}
     register-python-argcomplete --shell bash "$1" 2>/dev/null ||
         register-python-argcomplete3 --shell bash "$1" 2>/dev/null
 )"
